Domain 3 - Legal Issues, Contracts and Electronic Discovery

Question 1

What are the key Australian Data Protection Laws?

Answer 1

1. 1988 Privacy Act that was amended in 2017 to add security breach notification
2. Australian Consumer Law (ACL) which provides consumers protection from poor conduct from providers.

Question 2

What are the key laws in China?

Answer 2

1. 2017 Cybersecurity Law - requires network operators to implement TOMs, incident response plan, e-evidence, vulnerability disclosure, and risk management reporting.
2. Measures on the security of cross-border transfers of personal information - specifies categories of data that has to stay in China.

Question 3

What are the key laws in Japan?

Answer 3

Japan has multiple data protection laws.

1. Act on the Protection of Personal Information
2. Multiple health sector laws applicable to Pharmacists, Nurses etc.
3. Prohibits transfer of information to third parties without consent unless destination country has equivalent protection.

Question 4

What are the key EU laws?

Answer 4

1. GDPR

2. NIS2 Directive

Question 5

What are the obligations GDPR imposes on companies?

Answer 5

1. Companies must keep records of processing activities (ROPA)
2. Privacy Impact Assessments must precede certain processing
3. Services must be privacy by design and privacy by default.
4. Processing of personal data requires data subject’s unambiguous consent.
5. Breach Notification
6. Cross-border transfers require a) equivalent protection b) SCC c) binding corporate rules d) industry code of conduct.

Question 6

Under GDPR what are the rights of the data subject?

Answer 6

1. Object to use of their data
2. Information on how their data is used
3. Right to be forgotten
4. Right to have data corrected or erased
5. Right to data portability.

Question 7

What is NIS and its requirements?

Answer 7

Network Information Security is a directive that member states must implement into national law.

Requirements on OES:

• TOMs for information system
• Notifying competent authorities
• Evidence of implementation of effective security policies through audits
• Also covers providers of digital services (e.g. Cloud Service Providers)

Question 8

How are US laws on data protection structured?

Answer 8

• Federal and State Laws
• They tend to be sectoral - e.g. HIPAA for health, GLBA for Finance, COPPA for Child Privacy etc.
• States and their attorney generals also impose have fair practice act which protect consumers from bad corporate behavior

Question 9

What does contracts and provider selection involve?

Answer 9

• Internal due diligence - is cloud use permitted?
• Monitoring testing and updating - new laws and control effectiveness change over time.
• External due diligence - review all relevant aspects of CSP before procuring their services (SLAs, Certs, Service Terms etc.)
• Contract negotiations - review contracts even if they are not negotiable.
• Reliance on Third-party audits and attestations